Hack of Saudi Arabia Exposes Middle East Cybersecurity Flaws

More than a year after a drowned Syrian toddler washed up on a beach in Turkey, the tiny refugee’s body, captured in a photograph that shocked the world, reappeared on computer screens across Saudi Arabia — this time as a prelude to a cyberattack.

The strike last month disabled thousands of computers across multiple government ministries in Saudi Arabia, a rare use of offensive cyberweapons aimed at destroying computers and erasing data. The attackers, who haven’t claimed responsibility, used the same malware that was employed in a 2012 assault against Saudi Arabian Oil Co., known as Saudi Aramco, and which destroyed 35,000 computers within hours.

The Middle East, home to almost half of global oil reserves and much of its natural gas, is also a magnet for some of the world’s costliest cyberattacks, PricewaterhouseCoopers LLP said in a March 2016 report. The threat is set to grow as online activity mushrooms amid the region’s myriad geopolitical conflicts and tensions.

“For the last couple of years the U.S. Department of Defense has been trying to get the Gulf states to harden their defenses,” said James Lewis, senior vice president at the Center for Strategic and International Studies in Washington, D.C. “Some of them are in OK shape. Saudi Arabia is not.”

Damage Unclear

The extent of the damage isn’t clear, though two people informed of the security breach said it targeted the Saudi central bank, the transportation ministry and the agency that runs the country’s airports. One bright spot is that the Saudis have been able to restore some lost data via back-ups, recovering faster than they did after the 2012 strike, said one person familiar with the clean-up.

The central bank, known as the Saudi Arabian Monetary Authority, denied that its systems were breached. The country’s General Authority of Civil Aviation said damage to its networks was limited to some office systems and employee e-mails.

While the assault was similar to the one that hit Saudi Aramco four years ago, the impact was “much smaller” and didn’t disrupt transportation or aviation services, said Abbad Al Abbad, executive director for Strategic Development and Communication at the Riyadh-based National Cyber Security Center.

Online Market

“We will always have a race between those who are exploiting security vulnerabilities and those who are defending against them,” said Wael Fattouh, a Saudi-based PwC partner specializing in technology risk assurance.

Cyberattacks in the Middle East threaten more than governments and public facilities — they put economic development at risk. A unified regional online market could expand to include 160 million users by 2025 and add about $95 billion to gross domestic product, according to consultant McKinsey & Co. Saudi Arabia, the United Arab Emirates and other Arab states in the Gulf are leading this growth.

“The rapid adoption of digitization in the U.A.E. and Gulf Cooperation Council countries has made the region an attractive target for a wide array of security breaches,” Mohit Shrivastava, a senior analyst for information security at consultant MarketsandMarkets, said in a Dec. 5 e-mail.

Six months ago, FireEye Inc. detected cybercriminal strikes on Middle Eastern banks that were launched through e-mail attachments. The California-based cybersecurity company said the attackers appeared to be probing for targets.

Stuxnet, Flame

U.S. officials have said Iran was behind the 2012 attack against Saudi Aramco, and investigators also suspect Iranian hackers of involvement in the November blitz on Saudi government bodies. Media officials at Iran’s Foreign Ministry weren’t immediately available for comment.

Iran too has been a victim of cybersabotage. A computer worm known as Stuxnet derailed work at the country’s main uranium-enrichment facilities in 2010, and the Flame virus crippled the Iranian energy industry two years later. Iran suggested that both incidents involved Israel, which doesn’t comment on its reported involvement in cyberattacks.

Last month’s attack in Saudi Arabia suggests that investment alone doesn’t ensure protection. Middle Eastern companies are among the world’s top 10 in terms of buying cybersecurity technology but in the bottom 50 for education and training, according to the PwC report, which surveyed 10,000 businesses, 300 of them in the Middle East. Of 700 executives in GCC countries polled by the Dubai-based Gulf Business Machines this year, about half thought they were incapable of preventing cyberattacks.
“It will take more than just the allocation of financial resources to keep ourselves safe from today’s cyberthreats,” Mohammed al Zarooni, acting director general of information and e-government at the U.A.E.’s Telecommunications Regulatory Authority, said at a November conference in Abu Dhabi. “Building human capacity is just as critical.”

Jens Monrad, a senior intelligence analyst at FireEye, said he sees positive signs for cybersecurity in the Middle East, including a growing awareness of the issue and stronger government support.

“But this is a complex challenge,” he said by e-mail. “It is important for organizations to recognize their cybersecurity challenges cannot ever be solved with technology alone.”